Keeping your personal information private

VPN services can protect your anonymity, but you need to ask the right questions

The revelations around the NSA’s secret spying program have thrust the issue of online surveillance into the public consciousness like never before. Over the coming years it’s reasonable to expect more people will start using privacy tools, such as Virtual Private Network services, to protect their online data from surveillance.

But as a previous post on Invisibler rightly mentioned, VPNs cannot always be trusted – many log data and cooperate with authorities in the same way as an Internet Service Provider (ISP). Are all VPN services therefore unable to protect your privacy?

As the CEO of IVPN, I am obviously somewhat biased on this issue, but I would argue commercial VPN services can be very effective privacy tools. The only problem is, you have to trust the service your using. Before signing-up to a VPN there are three main questions you need to ask and in this article will go over them.

What data does a VPN log?

Firstly, you need to know what data a VPN logs and stores. If you are paying via any mainstream payment platform, such as credit card or PayPal, then your billing data will be stored with the VPN – it’s unavoidable. However, if the VPN accepts BitCoin, then no information linked to your real world identity will be stored.

But even if you can’t find a VPN that accepts BitCoin as a form of payment, it is worth keeping in mind that your use of your credit card only proves that you are using a VPN service – that in itself is no grounds for suspicion. This information will also be discoverable via your ISP’s logs.

VPNs will also usually store your IP address in some form, but you need to make sure that the stored IP address is anonymised. Logs of the websites you visit will also typically be stored in order to troubleshoot network issues. But if the VPN is serious about privacy, then this period of storage will be so small that it does not compromise your privacy (for instance, IVPN’s logs are wiped every 10 minutes), and the logs won’t be able to be linked to your IP address. If logs are held for any more than a few days, steer clear.

What happens if law enforcement demands data?

As long as the above data is not stored for a significant amount of time then the authorities cannot access it – even if they seize a VPN’s servers – because it won’t exist. In the case of Hide My Ass (one of the most popular VPN services) data is stored for two years, which is obviously a security risk.

The other way a law enforcement agency could compromise your privacy is by serving a VPN with a subpeona and demanding it start logging your data. If the VPN’s privacy policy does not state what it would do in such a case, ask the VPN provider directly. Any VPN that is serious about privacy would take measures to notify its users in such an eventuality. Not doing so, would risk the reputation and business of that VPN.

What happens if laws change?

The world is currently in the middle of a communications revolution and governments are trying to desperately catch-up by implementing new surveillance laws – from CISPA in the US, to the CCDP in the UK. It’s therefore very important to know how your VPN will behave if the laws in its jurisdiction change in a way that impacts your privacy. Will the VPN notify you of any impending changes? Will you be able to cancel your subscription and get your money back? These are the questions you should be asking. Also, in light of PRISM, and previous scandals such as the NSA wiretapping controversy, it is safe to say that the US is no longer a jurisdiction that can be trusted.

If you can get satisfactory answers to these three questions then you can be confident the VPN takes privacy seriously. At the end of the day there are many VPNs that are not really privacy services (they simply rely on the acronym ‘VPN’ being synonymous with the concept of online privacy). But there are VPN services that have built their whole reputations and business on the principals of online privacy. Obviously, this is an issue of trust. Emailing or talking to the individuals behind the VPN service, as well as researching their reputation, can help reassure you they have your best interests at heart. For more information on how to choose a VPN take a look at our ongoing article series on understanding VPN privacy policies.

Post navigation

Comments

the only information you can trust is that you cannot trust any VPN provider. All of them provide data to the authorities, otherwise they wouldn’t be allowed to operate in the USA. VPN providers can be legally forced not to make any information about such cooperation public.

If you need anonymity, forget it. It is gone. If you just need to hide your location from streaming services, go ahead. Just don’t be surprised once you realize that some large VPN providers are indirectly controlled by streaming services providers. All the media conglomerates that produce movies and TV shows are pretty well aware of this fact as they are in on it too.

With regards to a demand to install realtime surveillance capability on a VPN network, you’ve overlooked one additional option.

Since 2008, Cryptocloud has had a publicly-announced policy of “corporate seppuku” – if attempt is made to coerce them into installing or provisioning surveillance capability on their privacy network, they will shut down/”wipe” the entire company and all it servers rather than participate. The details:

To our knowledge, they are the only VPN company – and perhaps the only commercial privacy services company – to have such a policy in place. They have stood by it, although thus far not had to actually ‘pull the trigger’ as it were (twice they came close; source: personal correspondence from the company).

Our hope is that such policies become far more commonplace. There is nothing stopping other companies from making such public statements, which under the basic tenets of Nash’s game theory, serves as a strong disincentive for LEO to attempt such coercion in the first place – and for the company to consider allowing it, if approached. In short, it’s a policy that is low-cost and high-benefit for customers – and should be more widely considered.

Disclosure: Baneki did help draft the original version of Cryptocloud’s corporate seppuku statement, and as such we’re not entirely independent of its etiological foundations – for whatever that means, pro or con.